We're happy to announce that a solution is now available for a long-standing security flaw in browsing handling of style sheets. Internet Explorer 9 now joins Opera, Google Chrome, Safari, and Firefox in adopting the defense for this vulnerability.

How the attack works

Browsers must constantly guess what web authors intended. Guess correctly and the user is delighted. Guess wrong and the web site will break... or worse. Last year, the WebBlaze group at UC Berkeley helped browser vendors rein in their guessing of content types to prevent third-party PDFs and images from being incorrectly treated as privileged HTML. However, a related vulnerability remained.

The vulnerability has to do with loading of cross-origin resources. Normally, one web site cannot directly read HTML documents belonging to another web site. This important browser functionality keeps attacker.com from reading your Gmail, for example. However, web sites can include resources like scripts, stylesheets (CSS), images, and movies from other sites. By including another site's documents as a stylesheet, it is possible to read secrets from of other sites and even hijack the user's session.

How it was fixed

Our proposed client-side defense is to enforce content type checking for style sheets loaded cross-origin. This behavior gives web servers a way to block their HTML documents from being parsed as stylesheets.

However, coming up with defenses is easy. The real problem is how to deploy them. Any time you make a change to browser behavior there's a chance you'll break someone's favorite web site, so we did our best to make sure that this defense would really be acceptable. We looked at the top 100,000 web sites and found 74 CSS references that would be broken by this behavior. We then developed a "minimal" defense that has perfect compatibility with these sites and similar security properties.

Our proposed behavior was first deployed in a stable release of Opera 10.10 last November. Google Chrome, Safari, and Firefox followed suit with stable releases in January, March, and July. Internet Explorer has not yet deployed the change in a stable release, but it can been seen in Internet Explorer 9 Preview 4. We hope that Microsoft will include it as a security update for stable versions of IE as well. Update: Microsoft has patched IE6, IE7, and IE8.

This research is a collaboration between David Huang, Zack Weinberg, and Collin Jackson from the CMU Silicon Valley web security group and Chris Evans of Google. Eric Lawrence was our contact at Microsoft. We've written up a paper with all the gory details of the attack and our compatibility assessment of the defense. The paper will appear at the ACM Computer and Communications Security conference in October.

Are you protected?

We've added a BrowserScope security test that checks for the presence of the new, secure CSS handling behavior. You can use this test to see if your browser is protected. The test loads a text/html document as a stylesheet and sees if the browser parses it. You can check your browser by following this link:

We've also added two other security tests: cross-origin resource sharing and preventing attacks on a user's history through CSS :visited selectors. I'll write up some more thoughts about the latter defense in a future post.